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Abstract 


This document updates and corrects the IANA "XML Security URIs" registry that lists URIs 
intended for use with XML digital signatures, encryption, canonicalization, and key 
management. These URIs identify algorithms and types of information. This document also 
obsoletes and corrects three errata against RFC 6931. 


Status of This Memo 


This is an Internet Standards Track document. 


This document is a product of the Internet Engineering Task Force (IETF). It represents the 
consensus of the IETF community. It has received public review and has been approved for 
publication by the Internet Engineering Steering Group (IESG). Further information on Internet 
Standards is available in Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and how to provide feedback 


on it may be obtained at https://www.rfc-editor.org/info/rfc9231. 


Copyright Notice 


Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights 
reserved. 


Eastlake 3rd Standards Track Page 1 


RFC 9231 Additional XML Security URIs July 2022 


This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF 
Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this 
document. Please review these documents carefully, as they describe your rights and restrictions 
with respect to this document. Code Components extracted from this document must include 
Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are 
provided without warranty as described in the Revised BSD License. 
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1. Introduction 


XML digital signatures, canonicalization, and encryption were standardized by the W3C and by 
the joint IETF/W3C XMLDSIG working group [W3C] [XMLSEC]. These are now W3C 
Recommendations and some are also RFCs. They are available as follows: 


RFC W3C REC Topic 

Status 

[REG3275] [XMLDSIG10] XML Digital Signatures 
Draft Standard 

[RFC3076] [CANON10] Canonical XML 
Informational 


------ [XMLENC10] XML Encryption 1.0 
[RFC3741] [XCANON] Exclusive XML Canonicalization 1.0 
Informational 
Table 1 
These documents and recommendations use URIs [RFC3986] to identify algorithms and keying 
information types. The W3C has subsequently produced updated XML Signature 1.1 [XMLDSIG11], 


Canonical XML 1.1 [CANON11], and XML Encryption 1.1 [XMLENC11] versions, as well as a new 
XML Signature Properties specification [XMLDSIG-PROP]. 
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In addition, the XML Encryption recommendation has been augmented by [GENERIC], which 
defines algorithms, XML types, and elements necessary to use generic hybrid ciphers in XML 
security applications. [GENERIC] also provides for a key encapsulation algorithm and a data 
encapsulation algorithm, with the combination of the two forming the generic hybrid cipher. 


All camel-case element names (names with both interior upper and lower case letters) herein, 
such as DigestValue, are from these documents. 


This document is an updated convenient reference list of URIs and corresponding algorithms in 
which there is expressed interest. This document fixes Errata [Err3597], [Err3965], and [Err4004], 
and obsoletes [RFC6931]. 


All of the URIs for algorithms and data types herein are listed in the indexes in Section 4. Of these 
URIs, those that were added by earlier RFCs or by this document have a subsection in Section 2 or 
3. A few URIs defined elsewhere also have a subsection in Section 2 or 3, but most such URIs do 
not. For example, use of SHA-256 as defined in [XMLENC11] has no subsection here but is included 
in the indexes in Section 4. 


Specification in this document of the URI representing an algorithm does not imply endorsement 
of the algorithm for any particular purpose. A protocol specification, which this is not, generally 
gives algorithm and implementation reguirements for the protocol. Security considerations for 
algorithms are constantly evolving, as documented elsewhere. This specification simply provides 
some URIs and relevant formatting when those URIs are used. 


This document is not intended to change the algorithm implementation reguirements of any IETF 
or W3C document. Use of terminology from [RFC2119] and [RFC8174] is intended to be only such 
as is already stated or implied by other authoritative documents. 


Progressing XML Digital Signature [RFC3275] along the Standards Track reguired removal of any 
algorithms from the original version [RFC3075] for which there was not demonstrated 
interoperability. This reguired removal of the Minimal Canonicalization algorithm, in which there 
was continued interest. The URI for Minimal Canonicalization was included in [RFC6931] and is 
included here. 


1.1. Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", 
"RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be 
interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 
capitals, as shown here. 


"camel-case" refers to terms that are mostly lower case but have internal capital letters. 


1.2. Acronyms 


The following acronyms are used in this document: 


AAD- Additional Authenticated Data 


Eastlake 3rd Standards Track Page 5 


RFC 9231 Additional XML Security URIs July 2022 


AEAD - Authenticated Encryption with Associated Data 

ASN.1- Abstract Syntax Notation 1 

BER- Basic Encoding Rules [ITU-T-X.680] 

DSA- Digital Signature Algorithm 

DSS- Digital Signature Standard [FIPS186-4] 

ECDSA- Elliptic Curve DSA 

HMAC- Hashed Message Authentication Code [RFC2104] [RFC5869] 
IETF- Internet Engineering Task Force <https://www.ietf.org> 
MAC- Message Authentication Code 

MD- Message Digest 

NIST- United States National Institute of Standards and Technology <https://www.nist.gov> 
OID- Object Identifier [ITU-T-X.660] 

PKCS- Public Key Cryptography Standard 

RSA- Rivest, Shamir, and Adleman 

SHA- Secure Hash Algorithm 

URI- Uniform Resource Identifier [RFC3986] 

W3C- World Wide Web Consortium <https://www.w3.org> 


XML- eXtensible Markup Language 


2. Algorithms 


The URI [RFC3986] that was dropped from the XML Digital Signature standard due to the 
transition from Proposed Standard to Draft Standard [RFC3275] is included in Section 2.4 with its 
original 


http://www.w3.org/2000/09/xmldsig# 
prefix so as to avoid changing the XMLDSIG standard's namespace. 
Additional algorithms in RFC 4051 were given URIs that start with 
http://www.w3.org/2001/04/xmldsig-more# 
Further algorithms added in [RFC6931] were given URIs that start with 


http://www.w3.org/2007/05/xmldsig-more# 
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and algorithms added in this document are given URIs that start with 
http://www.w3.org/2021/04/xmldsig-more# 


In addition, for ease of reference, this document includes in the indexes in Section 4 many 
cryptographic algorithm URIs from XML security documents using the namespaces with which 
they are defined in those documents as follows: 


http://www.w3.org/2000/09/xmldsig# 
for some URIs specified in [RFC3275], 
http://www.w3.org/2001/04/xmlenc# 
for some URIs specified in [KMLENC10], and 
http://www.w3/org/xmlsec-ghc# 
for some URIs specified in [GENERIC]. 


See also [XMLSECXREF]. 


2.1. DigestMethod (Hash) Algorithms 


These algorithms are usable wherever a DigestMethod element occurs. 


2.1.1. MDS 


Identifier: 
http: //www.w3.org/2001/04/xmldsig-more#md5 


The MD5 algorithm [RFC1321] takes no explicit parameters. An example of an MD5 
DigestAlgorithm element is: 


<DigestAlgorithm 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5" /> 


An MD5 digest is a 128-bit string. The content of the DigestValue element SHALL be the base64 
[RFC4648] encoding of this bit string viewed as a 16-octet stream. See [RFC6151] for MD5 security 
considerations. 


2.1.2. SHA-224 


Identifier: 
http://www.w3.org/2001/04/xmldsig-more#sha224 


The SHA-224 algorithm [FIPS180-4] [RFC6234] takes no explicit parameters. An example ofa 
SHA-224 DigestAlgorithm element is: 
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<DigestAlgorithm 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefsha224" /> 


A SHA-224 digest is a 224-bit string. The content of the DigestValue element SHALL be the base64 
[RFC4648] encoding of this string viewed as a 28-0ctet stream. 


21.3. SHA-384 


Identifier: 
http://www.w3.org/2001/04/xmldsig-more#sha384 


The SHA-384 algorithm [FIPS180-4] takes no explicit parameters. An example of a SHA-384 
DigestAlgorithm element is: 


<DigestAlgorithm 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" /> 


A SHA-384 digest is a 384-bit string. The content of the DigestValue element SHALL be the base64 
[RFC4648] encoding of this string viewed as a 48-octet stream. 


2.1.4. Whirlpool 


Identifier: 
http: //www.w3.org/2007/05/xmldsig-more#whirlpool 


The Whirlpool algorithm [ISO-10118-3] takes no explicit parameters. An example of a Whirlpool 
DigestAlgorithm element is: 


<DigestAlgorithm 
Algorithm-"http://www.w3.org/2007/05/xmldsig-morefwhirlpool" /> 


A Whirlpool digest is a 512-bit string. The content of the DigestValue element SHALL be the base64 
[RFC4648] encoding of this string viewed as a 64-octet stream. 


2.1.5. SHA-3 Algorithms 


Identifiers: 
http://www.w3.org/2007/05/xmldsig-morefsha3-224 
http://www.w3.org/2007/05/xmldsig-morefsha3-256 
http://www.w3.org/2007/05/xmldsig-morefsha3-384 
http://www.w3.org/2007/05/xmldsig-morefsha3-512 


NIST conducted a hash function competition for an alternative to the SHA family. The Keccak- 
f[1600] algorithm was selected [KECCAK]. This hash function is commonly referred to as "SHA-3" 
[FIPS202]. 
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A SHA-3 224, 256, 384, and 512 digest is a 224-, 256-, 384-, and 512-bit string, respectively. The content 
of the DigestValue element SHALL be the base64 [RFC4648] encoding of this string viewed as a 28-, 
32-, 48-, and 64-octet stream, respectively. An example of a SHA3-224 DigestAlgorithm element is: 


<DigestAlgorithm 
Algorithm-"http://www.w3.org/2007/05/xmldsig-morefsha3-224" /> 


2.2. SignatureMethod MAC Algorithms 
This section covers SignatureMethod Message Authentication Code (MAC) Algorithms. 


Note: Some text in this section is duplicated from [RFC3275] for the convenience of the reader. 
[RFC3275] is normative in case of conflict. 


2.21. HMAC-MD5 


Identifier: 
http://www.w3.org/2001/04/xmldsig-morefhmac-md5 


The HMAC algorithm [RFC2104] takes the truncation length in bits as a parameter; if the 
parameter is not specified, then all the bits of the hash are output. An example of an HMAC-MD5 
SignatureMethod element is as follows: 


<SignatureMethod 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefhmac-md5"> 
<HMACOutputLength>112</HMACOutputLength> 

</SignatureMethod> 


The output of the HMAC algorithm is the output (possibly truncated) of the chosen digest 
algorithm. This value SHALL be base64 [RFC4648] encoded in the same straightforward fashion as 
the output of the digest algorithms. Example: the SignatureValue element for the HMAC-MD5 
digest 

9294727A 3638BB1C 13F48EF8 158BFC9D 


from the test vectors in [RFC2104] would be 


kpRyejY4uxwT9174FYv8nO-- 


Schema Definition: 


<simpleType name-"HMACOutputLength"> 
<restriction base="integer"/> 
</simpleType> 


DTD: 
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<!ELEMENT HMACOutputLength (#PCDATA) > 


The Schema Definition and DTD immediately above are copied from [RFC3275]. 
See [RFC6151] for HMAC-MD5 security considerations. 


2.2.2. HMAC SHA Variations 


Identifiers: 
http: //www.w3.org/2001/04/xmldsig-more#hmac-sha224 
http: //www.w3.org/2001/04/xmldsig-more#hmac-sha256 
http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 
http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 


SHA-224, SHA-256, SHA-384, and SHA-512 [FIPS180-4] [RFC6234] can also be used in HMAC as 
described in Section 2.2.1 for HMAC-MD5. 


2.2.3. HMAC-RIPEMD160 


Identifier: 
http://www.w3.org/2001/04/xmldsig-morefhmac-ripemd160 


RIPEMD-160 [ISO-10118-3] is a 160-bit hash that is used here in HMAC. The output can be 
optionally truncated. An example is as follows: 


<SignatureMethod 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefhmac-ripemd160"> 
<HMACOutputLength>144</HMACOutputLength> 

</SignatureMethod> 


2.2.4. Poly1305 


Identifier: 
http://www.w3.org/2021/04/xmldsig-morefpoly1305 


Poly1305 [RFC8439] [POLY1305] is a high-speed message authentication code algorithm. It takes a 
32-0ctet one-time key and a message and produces a 16-octet tag, which is used to authenticate 
the message. An example of a Poly1305 SignatureMethod element is as follows: 


<SignatureMethod 
Algorithm-"http://www.w3.org/2021/04/xmldsig-morefpoly1305"/> 
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2.2.5. SipHash-2-4 


Identifier: 
http://www.w3.org/2021/04/xmldsig-morefsiphash-2-4 
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July 2022 


SipHash [SipHash1] [SipHash2] computes a 64-bit MAC from a 128-bit secret key and a variable- 


length message. An example of a SipHash-2-4 SignatureMethod element is as follows: 


<SignatureMethod 


Algorithm="http://www.w3.org/2021/04/xmldsig-more#siphash-2-4" /> 


2.2.6. XMSS and XMSSMT 


XMSS (eXtended Merkle Signature Scheme) and XMSSMT (XMSS Multi-Tree) [RFC8391] are 


stateful hash-based signature schemes [NIST800-208]. According to NIST, it is believed that the 


security of these schemes depends only on the security of the underlying hash functions, in 


particular the infeasibility of finding a preimage or a second preimage, and it is believed that the 
security of these hash functions will not be broken by the development of large-scale quantum 


computers. 


For further information on the intended usage of these signature schemes and the careful state 
management required to maintain their strength, see [NIST800-208]. 


IANA maintains a registry whose entries correspond to the XMSS Identifiers below (see [XMSS]). 


The fragment part of the URIs is formed by replacing occurrences of underscore ( 


appearing in the IANA registry with hyphen ("-"). 


Identifiers for XMSS: 


http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
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://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 


w 
w3 
w3 
w3 
w3 
w3 


3.0rg/2021/04/xmldsig-more#xmss-sha2-10-192 
.0rg/2021/04/xmldsig-morefxmss-sha2-10-256 
.0rg/2021/04/xmldsig-morefxmss-sha2-10-512 
.0rg/2021/04/xmldsig-morefxmss-sha2-16-192 
.0rg/2021/04/xmldsig-morefxmss-sha2-16-256 
.0rg/2021/04/xmldsig-morefxmss-sha2-16-512 
.0rg/2021/04/xmldsig-morefxmss-sha2-20-192 
.0rg/2021/04/xmldsig-morefxmss-sha2-20-256 
.0rg/2021/04/xmldsig-morefxmss-sha2-20-512 
.0rg/2021/04/xmldsig-morefxmss-shake-10-256 
.0rg/2021/04/xmldsig-morefxmss-shake-10-512 
.0rg/2021/04/xmldsig-morefxmss-shake-16-256 
.0rg/2021/04/xmldsig-morefxmss-shake-16-512 
.0rg/2021/04/xmldsig-morefxmss-shake-20-256 
.0rg/2021/04/xmldsig-morefxmss-shake-20-512 
.0rg/2021/04/xmldsig-morefxmss-shake256-10-192 
.0rg/2021/04/xmldsig-morefxmss-shake256-10-256 
.0rg/2021/04/xmldsig-morefxmss-shake256-16-192 
.0rg/2021/04/xmldsig-morefxmss-shake256-16-256 
.0rg/2021/04/xmldsig-morefxmss-shake256-20-192 
.0rg/2021/04/xmldsig-morefxmss-shake256-20-256 


Standards Track 


) in thename 
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The hash functions used in the XMSS signature schemes above are SHA2 [RFC6234] or one of the 
two SHAKE extensible output functions [FIPS202] as indicated by the second token of the URI 
extension (SHAKE means SHAKE128). The tree height for XMSS is 10, 16, or 20 as indicated by the 
third token of the URI extension. The SHA2 or SHAKE output size is 192, 256, or 512 bits as 
indicated by the final token of the URI extension. SHA2 with 192 bits of output means 
SHA2-256/192, that is, the most significant 192 bits of the SHA-256 hash as specified in 
[NIST800-208]. 


IANA maintains a registry whose entries correspond to the XMSSMT Identifiers below (see 
[XMSS]). The fragment part of the URIs is formed by replacing occurrences of underscore ("_") 
and slash ("/") in the name appearing in the IANA registry with hyphen ("-"). 


Eastlake 3rd Standards Track Page 12 


RFC 9231 


Additional XML Security URIs 


Identifiers for XMSSMT: 


http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 


http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
http 
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://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 


://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 


w3 
w3 


.0rg/2021/04/xmldsig-morefxmssmt-sha2-20-2-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-20-2-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-20-2-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-20-4-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-20-4-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-20-4-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-2-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-2-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-2-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-4-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-4-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-4-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-8-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-8-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-40-8-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-3-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-3-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-3-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-6-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-6-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-6-512 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-12-192 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-12-256 
.0rg/2021/04/xmldsig-morefxmssmt-sha2-60-12-512 


.0rg/2021/04/xmldsig-morefxmssmt-shake-20-2-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-20-2-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-20-4-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-20-4-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-40-2-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-40-2-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-40-4-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-40-4-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-40-8-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-40-8-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-60-3-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-60-3-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-60-6-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-60-6-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake-60-12-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake-60-12-512 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-20-2-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-20-2-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-20-4-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-20-4-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-40-2-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-40-2-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-40-4-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-40-4-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-40-8-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-40-8-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-60-3-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-60-3-256 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-60-6-192 
.0rg/2021/04/xmldsig-morefxmssmt-shake256-60-6-256 
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http://www.w3.org/2021/04/xmldsig-morefxmssmt-shake256-60-12-192 
http://www.w3.org/2021/04/xmldsig-morefxmssmt-shake256-60-12-256 


The hash functions used in the XMSSMT signature schemes above are SHA2 [RFC6234] or one of 
the two the SHAKE extensible output function [FIPS202] as indicated by the second token of the 
URI extension (SHAKE means SHAKE128). The tree height for XMSSMT is 20, 40, or 60 as indicated 
by the third token of the URI extension. The number of layers is indicated by a fourth token. The 
SHA2, SHAKE, or SHAKE256 output size is 192, 256, or 512 bits as indicated by the finaltoken ofthe 
URI extension. SHA2 with 192 bits of output means SHA2-256/192, that is, the most significant 192 
bits of the SHA-256 hash as specified in [NIST800-208]. 


An example of an XMSS SignatureAlgorithm element is: 


<SignatureAlgorithm 
Algorithm-"http://www.w3.org/2021/04/xmldsig-morefxmss-sha2-10-192" 
/> 


2.3. SignatureMethod Public Key Signature Algorithms 


These algorithms are distinguished from those in Section 2.2 in that they use public key methods. 
That is to say, the signing key is different from and not feasibly derivable from the verification 
key. 


23.1. RSA-MD5 


Identifier: 
http://www.w3.0org/2001/04/xmldsig-moreffrsa-md5 


This implies the PKCS #1 v1.5 padding algorithm described in [RFC8017]. An example of use is: 


<SignatureMethod 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefrsa-md5" /> 


The SignatureValue content for an RSA-MDS5 signature is the base64 [RFC4648] encoding of the 
octet string computed as per Section 8.2.1 of [RFC8017], signature generation for the RSASSA- 
PKCS1-v1_5 signature scheme. As specified in the EMSA-PKCS1-V1_5-ENCODE function in Section 
9.2 of [RFC8017], the value input to the signature function MUST contain a prepended algorithm 
object identifier for the hash function, but the availability of an ASN.1 parser and recognition of 
OIDs is not required of a signature verifier. The PKCS #1 v1.5 representation appears as: 


CRYPT (PAD (ASN.1 (OID, DIGEST (data)))) 


The padded ASN.1 will be of the following form: 


01 | FF* | 90 | prefix | hash 
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The vertical bar ("|") represents concatenation. "01", "FF", and "00" are fixed octets of the 
corresponding hexadecimal value, and the asterisk ("*") after "FF" indicates repetition. "hash" is 
the MD5 digest of the data. "prefix" is the ASN.1 BER MD5 algorithm designator prefix required in 
PKCS #1 [RFC8017], that is, 

hex 30 20 30 Oc 06 08 2a 86 48 86 f7 Od 02 05 05 00 04 10 


This prefix is included to make it easier to use standard cryptographic libraries. The FF octet MUST 
be repeated enough times that the value of the guantity being CRYPTed is exactly one octet 
shorter than the RSA modulus. 


See [RFC6151] for MD5 security considerations. 


2.3.2. RSA-SHA256 


Identifier: 
http://www.w3.org/2001/04/xmldsig-moreífrsa-sha256 


This implies the PKCS #1 v1.5 padding algorithm [RFC8017] as described in Section 2.3.1 but with 
the ASN.1 BER SHA-256 algorithm designator prefix. An example of use is: 


<SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> 


2.3.3. RSA-SHA384 


Identifier: 
http: //www.w3.org/2001/04/xmldsig-more#rsa-sha384 


This implies the PKCS #1 v1.5 padding algorithm [RFC8017] as described in Section 2.3.1 but with 
the ASN.1 BER SHA-384 algorithm designator prefix. An example of use is: 


<SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" /> 


Because it takes about the same effort to calculate a SHA-384 message digest as it does a SHA-512 
message digest, it is suggested that RSA- SHA512 be used in preference to RSA-SHA384 where 
possible. 


2.3.4. RSA-SHA512 


Identifier: 
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 


This implies the PKCS #1 v1.5 padding algorithm [RFC8017] as described in Section 2.3.1 but with 
the ASN.1 BER SHA-512 algorithm designator prefix. An example of use is: 
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<SignatureMethod 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefrsa-sha512" /> 


2.3.5. RSA-RIPEMD160 


Identifier: 
http://www.w3.org/2001/04/xmldsig-morefrsa-ripemd160 


This implies the PKCS #1 v1.5 padding algorithm [RFC8017] as described in Section 2.3.1 but with 
the ASN.1 BER RIPEMD160 algorithm designator prefix. An example of use is: 


<SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160" 
y> 


2.3.6. ECDSA-SHA*, ECDSA-RIPEMD160, ECDSA-Whirlpool 


Identifiers: 
http://www.w3.org/2001/04/xmldsig-morefecdsa-shal1 
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224 
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 
http: //www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224 
http: //www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256 
http: //www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384 
http: //www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512 
http: //www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd16@ 
http: //www.w3.org/2007/05/xmldsig-more#ecdsa-whirlpool 


The Elliptic Curve Digital Signature Algorithm (ECDSA) [FIPS186-4] is the elliptic curve analogue of 
the Digital Signature Algorithm (DSA) signature method, i.e., the Digital Signature Standard (DSS). 
It takes no explicit parameters. For some detailed specifications of how to use it with SHA hash 
functions and XML Digital Signature, please see [X9.62] and [RFC4050]. The #sha3-*, #ecdsa- 
ripemd160, and #ecdsa-whirlpool fragments identify signature methods processed in the same 
way as specified by the #ecdsa-sha1 fragment, with the exception that a SHA3 function (see 
Section 2.1.5), RIPEMD160, or Whirlpool (see Section 2.1.4) is used instead of SHA-1. 


The output of the ECDSA algorithm consists of a pair of integers usually referred to as the pair (r, 
s). The signature value consists of the base64 encoding of the concatenation of two octet streams 
that respectively result from the octet encoding of the values r ands in that order. Conversion 
from integer to octet stream must be done according to the I2OSP operation defined in the 
[RFC8017] specification with the l parameter equal to the size of the base point order of the curve 
in octets (e.g., 32 for the P-256 curve and 66 for the P-521 curve [FIPS186-4]). 


For an introduction to elliptic curve cryptographic algorithms, see [RFC6090] and note the errata 
(Errata IDs 2773-2777). 
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2.3.7. ESIGN-SHA* 


Identifiers: 
http://www.w3.org/2001/04/xmldsig-morefesign-shal1 
http://www.w3.org/2001/04/xmldsig-more#esign-sha224 
http://www.w3.org/2001/04/xmldsig-more#esign-sha256 
http://www.w3.org/2001/04/xmldsig-more#esign-sha384 
http://www.w3.org/2001/04/xmldsig-more#esign-sha512 


The ESIGN algorithm specified in [IEEEP1363a] is a signature scheme based on the integer 
factorization problem. 


An example of use is: 


<SignatureMethod 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefesign-sha1" 
MS 


2.3.8. RSA-Whirlpool 


Identifier: 
http://www.w3.org/2007/05/xmldsig-morefrsa-whirlpool 


As in the definition of the RSA-SHA1 algorithm in [XMLDSIG11], the designator "RSA" means the 
RSASSA-PKCS1-v1_5 algorithm as defined in [RFC8017]. When identified through the #rsa- 
whirlpool fragment identifier, Whirlpool is used as the hash algorithm instead. Use of the ASN.1 
BER Whirlpool algorithm designator is implied. That designator is: 

hex 30 4e 30 ða 06 06 28 cf 06 03 00 37 05 00 04 40 
as an explicit octet seguence. This corresponds to OID 1.0.10118.3.0.55 defined in [ISO-10118-3]. 


An example of use is: 


<SignatureMethod 
Algorithm-"http://www.w3.org/2007/05/xmldsig-morefrsa-whirlpool" 
/> 


2.3.9. RSASSA-PSS with Parameters 


Identifiers: 
http://www.w3.0rg/2007/05/xmldsig-moreffrsa-pss 
http://www.w3.org/2007/05/xmldsig-morefMGF1 
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These identifiers use the PKCS #1 EMSA-PSS encoding algorithm [RFC8017]. The RSASSA-PSS 
algorithm takes the digest method (hash function), a mask generation function, the salt length in 
octets (SaltLength), and the trailer field as explicit parameters. 


Algorithm identifiers for hash functions specified in XML encryption [XMLENC11], [XMLDSIG11], 
and in Section 2.1 are considered to be valid algorithm identifiers for hash functions. According to 
[RFC8017], the default value for the digest function is SHA-1, but due to the discovered weakness of 
SHA-1 [RFC6194], it is recommended that SHA-256 or a stronger hash function be used. 
Notwithstanding [RFC8017], SHA-256 is the default to be used with these SignatureMethod 
identifiers if no hash function has been specified. 


The default salt length for these SignatureMethod identifiers, if the SaltLength is not specified, 
SHALL be the number of octets in the hash value of the digest method as recommended in 
[RFC4055]. In a parameterized RSASSA-PSS signature, the ds:DigestMethod and the SaltLength 
parameters usually appear. If they do not, the defaults make this equivalent to <http:// 
www.w3.org/2007/05/xmldsig-more#sha256-rsa-M GF1> (see Section 2.3.10). The TrailerField 
defaults to 1 (0xBC) when omitted. 


Schema Definition (target namespace <http://www.w3.org/2007/05/xmldsig-more#>): 


<xs:element name="RSAPSSParams" type="pss:RSAPSSParamsType'> 
<xs:annotation> 
<xs:documentation> 
Top level element that can be used in xs:any namespace="#other" 
wildcard of ds:SignatureMethod content. 
</xs:documentation> 
</xs:annotation> 
</xs:element> 
<xs:complexType name="RSAPSSParamsType"> 
<xs:seguence> 
<xs:element ref="ds:DigestMethod" minOccurs="0"/> 
<xs:element name="MaskGenerationFunction" 
type-"pss:MaskGenerationFunctionType" minOccurs="0"/> 
<xs:element name="SaltLength" type="xs:int" 
minOccurs="@"/> 
<xs:element name="TrailerField" type="xs:int" 
minOccurs="@"/> 
</xs:seguence> 
</xs:complexType> 
<xs:complexType name-"MaskGenerationFunctionType"> 
<xs:seguence> 
<xs:element ref="ds:DigestMethod" minOccurs="0"/> 
</xs:seguence> 
<xs:attribute name="Algorithm" type="xs:anyURI" 
default-"http://www.w3.org/2007/05/xmldsig-morefMGF1"/> 
</xs:complexType> 


2.3.10. RSASSA-PSS without Parameters 


[RFC8017] currently specifies only one mask generation function MGF1 based on a hash function. 
Although [RFC8017] allows for parameterization, the default is to use the same hash function as 
the digest method function. Only this default approach is supported by this section; therefore, the 
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definition of a mask generation function type is not needed yet. The same applies to the trailer 
field. There is only one value (0xBC) specified in [RFC8017]. Hence, this default parameter must be 
used for signature generation. The default salt length is the length of the hash function. 


Identifiers: 
http://www.w3.org/2007/05/xmldsig-moreífsha3-224-rsa-MGF1 
http://www.w3.org/2007/05/xmldsig-morefsha3-256-rsa-MGF1 
http://www.w3.org/2007/05/xmldsig-moreífsha3-384-rsa-MGF1 
http://www.w3.org/2007/05/xmldsig-morefsha3-512-rsa-MGF1 


http://www.w3.org/2007/05/xmldsig-more#md2-rsa-MGF1 
http://www.w3.org/2007/05/xmldsig-more#md5-rsa-MGF1 

http: //www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1 
http: //www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1 
http: //www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 
http: //www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1 
http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1 
http: //www.w3.org/2007/05/xmldsig-more#ripemd128-rsa-MGF1 
http: //www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1 
http: //www.w3.org/2007/05/xmldsig-more#whirlpool-rsa-MGF1 


An example of use is: 


<SignatureMethod 

Algorithm= 

"http ://www.w3.org/2007/05/xmldsig-more#SHA3-256-rsa-MGF1" 
He 


2.3.11. RSA-SHA224 


Identifier: 
http: //www.w3.org/2001/04/xmldsig-more#rsa-sha224 


This implies the PKCS #1 v1.5 padding algorithm [RFC8017] as described in Section 2.3.1 but with 
the ASN.1 BER SHA-224 algorithm designator prefix. An example of use is: 


<SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224" /> 


Because it takes about the same effort to calculate a SHA-224 message digest as it does a SHA-256 
message digest, it is suggested that RSA-SHA256 be used in preference to RSA-SHA224 where 
possible. 


See also Appendix B concerning an erroneous version of this URI that appeared in [RFC6931]. 
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2.3.12. Edwards-Curve 


The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of Schnorr's signature system 
with Edwards curves. A specification is provided and some advantages listed in [RFC8032]. The 
general EdDSA takes 11 parameters that must be carefully chosen for secure and efficient 
operation. Identifiers for two variants, Ed25519 and Ed448, are given below. 


Ed25519 uses 32-0ctet public keys and produces 64-octet signatures. It provides about 128 bits of 
security and uses SHA-512 [RFC6234] internally as part of signature generation. 


Ed448 uses 57-octet public keys and produces 114-octet signatures. It provides about 224 bits of 
security and uses "SHAKE256" [FIPS202] internally as part of signature generation. (SHAKE256 is 
specified by NIST as an "Extensible Output Function" and not specified or approved by NIST as a 
secure hash function.) 


For further information on the variants of EdDSA identified below, see [RFC8032]. 


Identifiers: 
http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ph 
http: //www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ctx 
http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519 


http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448 
http: //www.w3.org/2021/04/xmldsig-more#eddsa-ed448ph 


An example of use is: 


<SignatureMethod Algorithm= 
"http://www.w3.org/2021/04/xmldsig-morefeddsa-ed448" /> 


2.4. Minimal Canonicalization 


Thus far, two independent interoperable implementations of Minimal Canonicalization havenot 
been announced. Therefore, when "XML-Signature Syntax and Processing" was advanced along 
the Standards Track from [RFC3075] to [RFC3275], Minimal Canonicalization was dropped. 
However, there was still interest. For its definition, see Section 6.5.1 of [RFC3075]. 


For reference, its identifier remains: 
http://www.w3.org/2000/09/xmldsig#minimal 


2.5. Transform Algorithms 


The XPointer Transform algorithm syntax is described below. All CanonicalizationMethod 
algorithms can also be used as Transform algorithms. 
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2.5.1. XPointer 


Identifier: 
http://www.w3.org/2001/04/xmldsig-morefxptr 


This transform algorithm takes an [XPointer] as an explicit parameter. An example of use is: 


<Transform 
Algorithm-"http://www.w3.org/2001/04/xmldsig-more/xptr"> 
<XPointer 
xmlns-"http://www.w3.org/2001/04/xmldsig-more/xptr"> 
xpointer(id("foo")) xmlns(bar-http://foobar.example) 
xpointer(//bar:Zab[@Id="foo"]) 
</XPointer> 
</Transform> 


Schema Definition: 
<element name="XPointer" type-"string"/> 
DTD: 


<!ELEMENT XPointer (#PCDATA) > 


Input to this transform is an octet stream (which is then parsed into XML). 


Output from this transform is a node set; the results of the XPointer are processed as defined in 
the XMLDSIG specification [RFC3275] for a same-document XPointer. 


2.6. EncryptionMethod Algorithms 


This subsection gives identifiers and information for several EncryptionMethod Algorithms. 


2.6.1. ARCFOUR Encryption Algorithm 


Identifier: 
http://www.w3.org/2001/04/xmldsig-more#arcfour 


ARCFOUR is a fast, simple stream encryption algorithm that is compatible with RSA Security's RC4 
algorithm [RC4] (Rivest Cipher 4); however, RC4 has been found to have a number of weaknesses 
and its use is prohibited in several IETF protocols, for example TLS [RFC7465]. An example 
EncryptionMethod element using ARCFOUR is: 


<EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#arcfour"> 
<KeySize>40</KeySize> 

</EncryptionMethod> 
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ARCFOUR makes use of the generic KeySize parameter specified and defined in [XMLENC11]. 


2.6.2. Camellia Block Encryption 


Identifiers: 
http://www.w3.org/2001/04/xmldsig-morefcamellia128-cbc 
http://www.w3.org/2001/04/xmldsig-morefcamellia192-cbc 
http://www.w3.org/2001/04/xmldsig-morefcamellia256-cbc 


Camellia is a block cipher with the same interface as the AES [CAMELLIA] [RFC3713]; it has a 128- 
bit block size and 128-, 192-, and 256-bit Key sizes. In XML Encryption, Camellia is used in the same 
way as the AES: It is used in the Cipher Block Chaining (CBC) mode with a 128-bit initialization 
vector (IV). The resulting cipher text is prefixed by the IV. If included in XML output, it is then 
base64 encoded. An example Camellia EncryptionMethod is as follows: 


<EncryptionMethod 
Algorithm= 
"http://www.w3.org/2001/04/xmldsig-morefcamellia128-cbc" 
He 


2.6.3. Camellia Key Wrap 


Identifiers: 
http://www.w3.org/2001/04/xmldsig-morefkw-camellia128 
http://www.w3.org/2001/04/xmldsig-morefkw-camellia192 
http://www.w3.org/2001/04/xmldsig-morefkw-camellia256 


Camellia [CAMELLIA] [RFC3713] Key wrap is identical to the AES key wrap algorithm [RFC3394] 
specified in the XML Encryption standard with "AES" replaced by "Camellia". As with AES key 
wrap, the check value is 0O-A6A6A6A6A6A6AGA6. 


The algorithm is the same regardless of the size of the Camellia key used in wrapping, called the 
"key encrypting key" or "KEK". If Camellia is supported, it is particularly suggested that wrapping 
128-bit keys with a 128-bit KEK and wrapping 256-bit keys with a 256-bit KEK be supported. 


An example of use is: 


<EncryptionMethod 
Algorithm= 
"http://www.w3.org/2001/04/xmldsig-morefkw-camellia128" 
/> 
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2.6.4. PSEC-KEM, RSAES-KEM, and ECIES-KEM 


Identifiers: 
http://www.w3.org/2001/04/xmldsig-morefpsec-kem 
http://www.w3.org/2010/xmlsec-ghcífrsaes-kem 
http://www.w3.org/2010/xmlsec-ghcfecies-kem 


These algorithms, specified in [ISO-18033-2], are Key encapsulation mechanisms using elliptic 
curve or RSA encryption. RSAEA-KEM and ECIES-KEM are also specified in [GENERIC]. 


An example of use of PSEC-KEM is: 


<EncryptionMethod 
Algorithm-"http://www.w3.org/2001/04/xmldsig-morefpsec-kem"> 
<ECParameters> 
<Version>version</Version> 
<FieldID>id</FieldID> 
<Curve>curve</Curve> 
<Base>base</Base> 
<Order>order</Order> 
<Cofactor>cofactor</Cofactor> 
</ECParameters> 
</EncryptionMethod> 


See [ISO-18033-2] for information on the parameters above. 


2.6.5. SEED Block Encryption 


Identifier: 
http://www.w3.org/2007/05/xmldsig-morefseed128-cbc 


SEED [RFC4269] is a block cipher with a 128-bit block size and 128-bit key size. In XML Encryption, 
SEED can be used in the Cipher Block Chaining (CBC) mode with a 128-bit initialization vector (IV). 
The resulting cipher text is prefixed by the IV. If included in XML output, it is then base64 encoded. 


An example SEED EncryptionMethod is as follows: 


<EncryptionMethod 
Algorithm-"http://www.w3.org/2007/05/xmldsig-morefseed128-cbc" /> 


2.6.6. SEED Key Wrap 


Identifier: 
http://www.w3.org/2007/05/xmldsig-moreífkw-seed128 
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Key wrapping with SEED is identical to Section 2.2.1 of [RFC3394] with "AES" replaced by "SEED". 
The algorithm is specified in [RFC4010]. The implementation of SEED is optional. The default 
initial value is 0OxA6A6A6A6A6A6A6A6. 


An example of use is: 


<EncryptionMethod 
Algorithm= 
"http://www.w3.org/2007/05/xmldsig-more#kw-seed128" 
/> 


2.6.7. ChaCha20 


Identifier: 
http: //www.w3.org/2021/04/xmldsig-more#chacha20 


ChaCha20 [RFC8439], a stream cipher, is a variant of Salsa20 [ChaCha]. It is considerably faster 
than AES in software-only implementations. In addition to a 256-bit key and the plain text to be 
encrypted, ChaCha20 takes a 96-bit Nonce and an initial 32-bit Counter. The Nonce and Counter 
are represented as hex in nested elements as shown below. 


An example of use is: 


<EncryptionMethod 
Algorithm= 
"http://www.w3.org/2021/04/xmldsig-morefchacha20"> 
<Nonce>0123456789abcdef01234567</Nonce> 
<Counter>fedcba09</Counter> 

</EncryptionMethod> 


2.6.8. ChaCha20-Poly1305 


Identifier: 
http://www.w3.org/2021/04/xmldsig-moreífchacha20poly1305 


ChaCha20+Poly1305 is an Authenticated Encryption with Associated Data (AEAD) algorithm. In 
addition to a 256-bit key and plain text to be encrypted and authenticated, ChaCha20+Poly1305 
takes a 96-bit Nonce and variable-length Additional Authenticated Data (AAD). The Nonce is 
represented as a child element of the EncryptionMethod element with a hex value. The AAD is a 
string, which may be null. The AAD element may be absent, in which case the AAD is null. The 
CipherData, either present in the CipherValue or by reference, is the concatenation of the 
encrypted ChaCha20 output and the Poly1305 128-bit tag. 


An example of use is: 
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<EncryptionMethod 
Algorithm= 
"http://www.w3.org/2021/04/xmldsig-morefchacha20poly1305"> 
<Nonce>0123456789abcdef01234567</Nonce> 
<AAD>The guick brown fox jumps over the lazy dog.</AAD> 
</EncryptionMethod> 


2.7. Key AgreementMethod Algorithm 


This subsection gives identifiers and information for an additional Key AgreementMethod 
Algorithm [XMLENC11]. 


2.7.1. X25519 and X448 Key Agreement 


Identifier: 
http://www.w3.org/2021/04/xmldsig-more#x25519 
http: //www.w3.org/2021/04/xmldsig-more#x448 


The X25519 and X448 key agreement algorithms are specified in [RFC7748]. 


2.8. KeyDerivationMethod Algorithm 

This subsection gives identifiers and information for an additional KeyDerivationMethod 
Algorithm [XMLENC11]. 

2.8.1. HKDF Key Derivation 


This section covers the HMAC-based Extract-and-Expand Key Derivation Function (HKDF 
[RFC5869]). 


Identifier: 
http://www.w3.org/2021/04/xmldsig-more#hkdf 


HKDF takes as inputs a hash function, an optional non-secret "salt", initial keying material (IKM), 
optional context and application-specific "info", and the required output keying size. Note that 
these strictly determine the output so, for example, invoking HKDF at different times but with the 
same Salt, info, initial keying material, and output key size will produce identical output keying 
material. 


The inputs can be supplied to HKDF as follows: 


hashfunction: The algorithm attribute of a child DigestMethod element. 


salt: The content of a Salt child element of AgreementMethod in hex. If not provided, a string of 
zero octets as long as the hash function output is used as specified in [RFC5869]. 


IKM: The content of an OriginatorKeyInfo child element of AgreementMethod in hex. May be 
absent in some applications where this is known through some other method. 
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info: The content of the KA-Nonce child element of AgreementMethod in hex. 


size: The content of a KeySize child element of AgreementMethod as a decimal number. 


Here is the test case from Appendix A.1 of [RFC5869] as an example: 


<AgreementMethod 
algorithm-"http://www.w3.org/2021/04/xmldsig-morefhkdf"> 
<DigestMethod 

algorithm-"http://www.w3.org/2001/04/xmldsig-morefhmac-sha256"/> 

<Salt>000102030405060708090a0b0c</Salt> 
<OriginatorKeyInfo>ðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðbðb 
</OriginatorKeyInfo> 
<KA-Nonce>f0f1f2f3f4f5f6f7f8f9</KA-Nonce> 
<KeySize>42</KeySize> 

</AgreementMethod> 


3. Keylnfo 


In Section 3.1, a KeyInfo element child is specified, while in Section 3.2, additional KeyInfo Type 
values for use in RetrievalMethod are specified. 


3.1. PKCS #7 Bag of Certificates and CRLs 


A PKCS #7 [RFC2315] "signedData" can also be used as a bag of certificates and/or certificate 
revocation lists (CRLs). The PKCS7signedData element is defined to accommodate such structures 
within KeyInfo. The binary PKCS #7 structure is base64 [RFC4648] encoded. Any signer 
information present is ignored. The following is an example [RFC3092], eliding the base64 data: 


<foo:PKCS7signedData 
xmlns:foo-"http://www.w3.org/2001/04/xmldsig-more"> 


</foo:PKCS7signedData> 


3.2. Additional RetrievalMethod Type Values 


The Type attribute of RetrievalMethod is an optional identifier for the type of data to be retrieved. 
The result of dereferencing a RetrievalMethod reference for all KeyInfo types with an XML 
structure is an XML element or document with that element as the root. The various "raw" key 
information types return a binary value. Thus, they require a Type attribute because they are not 
unambiguously parsable. 
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Identifiers: 


http 
http 
http 
http 
http 
http 
http 
http 


://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 
://www. 


4. Indexes 
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.0rg/2001/04/xmldsig-morefKeyName 
.0rg/2001/04/xmldsig-morefKeyValue 
.0rg/2001/04/xmldsig-morefPKCS7signedData 
.0rg/2001/04/xmldsig-morefrawPGPKeyPacket 
.0rg/2001/04/xmldsig-morefrawPKCS7signedData 
.0rg/2001/04/xmldsig-morefrawSPKISexp 
.0rg/2001/04/xmldsig-morefrawX509CRL 
.0rg/2001/04/xmldsig-morefRetrievalMethod 


The following subsections provide an index by URI and by fragment identifier (the portion of the 
URI after "#") of the algorithm and KeyInfo URIs defined in this document and in the standards 
plus the one KeyInfo child element name defined in this document. The "Sec/Doc" column has the 
section of this document or, if not specified in this document, the standards document where the 
item is specified. See also [XMLSECXREF]. 


4.1. Index by Fragment Index 


The initial "http: //www.w3.org/" part of the URI is not included below. The first six entries have a 
null fragment identifier or no fragment identifier. "{Bad}" indicates a bad value that was 
accidentally included in [RFC6931]. Implementations SHOULD only generate the correct URI but 
SHOULD understand both the correct and erroneous URI. See also Appendix B. 
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Fragment 


aes128-cbc 
aes128-gcm 
aes192-cbc 
aes192-gcm 
aes256-cbc 
aes256-gcm 
arcfour 


base64 


camellia128-cbc 
camellia192-cbc 
camellia256-cbc 
chacha20 
chacha20poly1305 
ConcatKDF 
decrypt#XML 
decrypt#Binary 
DEREncodedKeyValue 
dh 

dh-es 

dsa-shal 
dsa-sha256 
DSAKeyValue 


ECDH-ES 
ecdsa-ripemd160 
ecdsa-sha1 
ecdsa-sha224 
ecdsa-sha256 
ecdsa-sha384 
ecdsa-sha512 
ecdsa-sha3-224 
ecdsa-sha3-256 
ecdsa-sha3-384 
ecdsa-sha3-512 
ecdsa-whirlpool 
ecies-kem 
ECKeyValue 
eddsa-ed25519 
eddsa-ed25519ctx 
eddsa-ed25519ph 
eddsa-ed448 
eddsa-ed448ph 
enveloped-signature 
esign-sha1 


Eastlake 3rd 


Additional XML Security URIs 


URI Sec/Doc 
2002/06/xmldsig-filter2 [XPATH] 
2006/12/xmlc12n11# {Bad} [ CANON11 ] 
2006/12/xmlc14n11# [ CANON11 ] 
TR/1999/REC-xslt-19991116 [XSLT] 
TR/1999/REC-xpath-19991116 [XPATH] 
TR/2001/06/xml-exc-c14nŵf [ XCANON] 
TR/2001/REC-xml-c14n-20010315 [CANON10] 
TR/2001/REC-xmlschema-1-20010502 [ SCHEMA ] 


2001/04/xmlencfaes128-cbc 
2009/xmlenc11#aes128-gcm 
2001/04/xmlencfaes192-cbc 
2009/xmlenc11#aes192-gcm 
2001/04/xmlencfaes256-cbc 
2009/xmlenc11#aes256-gcm 


[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 


2001/04/xmldsig-morefarcfour 2608 
2000/09/xmldsig#base64 [RFC3275 | 
2001/04/xmldsig-morefcamellia128-cbc 2o 2 
2001/04/xmldsig-morefcamellia192-cbc 22652 
2001/04/xmldsig-more#camellia256-cbc 2:02 
2021/04/xmldsig-moresfchacha20 2n Or. 
2021/04/xmldsig-morefchacha20poly1305 2.6.8 


2009/xmlenc11#ConcatKDF 
2002/07/decrypt#XML [DECRYPT] 
2002/07/decrypt#Binary [DECRYPT] 
2009/xmldsig11#DEREncodedKeyValue [XMLDSIG11] 
2001/04/xmlenc#dh [XMLENC11] 
2009/xmlenc11#dh-es [XMLENC11] 
2000/09/xmldsig#dsa-sha1 [RFC3275] 
2009/xmldsig11#dsa-sha256 [XMLDSIG11] 
2000/09/xmldsig#DSAKeyValue [XMLDSIG11] 


[XMLENC11] 


2009/xmlenc11#ECDH-ES 
2007/05/xmldsig-morefecdsa-ripemd160 
2001/04/xmldsig-morefecdsa-sha1 
2001/04/xmldsig-morefecdsa-sha224 
2001/04/xmldsig-morefecdsa-sha256 
2001/04/xmldsig-morefecdsa-sha384 
2001/04/xmldsig-morefecdsa-sha512 
2021/04/xmldsig-morefecdsa-sha3-224 
2021/04/xmldsig-morefecdsa-sha3-256 
2021/04/xmldsig-morefecdsa-sha3-384 
2021/04/xmldsig-morefecdsa-sha3-512 
2007/05/xmldsig-morefecdsa-whirlpool 
2010/xmlsec-ghcfecies-kem 
2009/xmldsig11#ECKeyValue [XMLDSIG11] 
2021/04/xmldsig-morefeddsa-ed25519 232 
2021/04/xmldsig-morefeddsa-ed25519ctx 2.3.12 
2021/04/xmldsig-morefeddsa-ed25519ph 2.3.12 
2021/04/xmldsig-morefeddsa-ed448 23 eile. 
2021/04/xmldsig-morefeddsa-ed448ph Pe eke lV2 
2000/09/xmldsig#enveloped-signature [RFC3275] 
2001/04/xmldsig-morefesign-sha1 2o ET. 


[XMLENC11] 
SL 


NNNNNNNNNNN 


WWWWWWWWWW 
U1 OY OV OV OV OV OV OF O. ON. OF 


[GENERIC] 
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esign-sha224 
esign-sha256 
esign-sha384 
esign-sha512 


generic-hybrid 


hkdf 

hmac-md5 
hmac-ripemd160 
hmac-sha1 
hmac-sha224 
hmac-sha256 
hmac-sha384 
hmac-sha512 


KeyName 
KeyValue 
kw-aes128 
kw-aes128-pad 
kw-aes192 
kw-aes192-pad 
kw-aes256 
kw-aes256-pad 
kw-camellia128 
kw-camellia192 
kw-camellia256 
kw-seed128 


md2-rsa-MGF1 
md5 
md5-rsa-MGF1 
MGF1 
mgf1sha1 
mgf1sha224 
mgf1sha256 
mgf1sha384 
mgf1sha512 
MgmtData 
minimal 


pbkdf2 

PGPData 
PKCS7signedData 
PKCS7signedData 
poly1305 
psec-kem 


rawPGPKeyPacket 


rawPKCS7signedData 


rawSPKISexp 


rawX509Certificate 


rawX509CRL 
RetrievalMethod 


ripemd128-rsa-MGF1 


ripemd160 


ripemd160-rsa-MGF1 
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2001/04/xmldsig-morefesign-sha224 
2001/04/xmldsig-morefesign-sha256 
2001/04/xmldsig-morefesign-sha384 
2001/04/xmldsig-morefesign-sha512 


NNNN 
WWWW 
NN NN 


2010/xmlsec-ghcfgeneric-hybrid [GENERIC] 
2021/04/xmldsig-more#hkdf 
2001/04/xmldsig-more#hmac-md5 
2001/04/xmldsig-morefhmac-ripemd160 
2000/09/xmldsigshhmac-sha1 [RF 
2001/04/xmldsig-morefhmac-sha224 
2001/04/xmldsig-morefhmac-sha256 
2001/04/xmldsig-morefhmac-sha384 
2001/04/xmldsig-morefhmac-sha512 


oO. 
NNNNA =~ 


NNNNNNNO 


NNNNONNN 


2001/04/xmldsig-more#KeyName Sig 

2001/04/xmldsig-more#KeyValue G2 

2001/04/xmlencfkw-aes128 [XMLENC11] 
2009/xmlenc11#kw-aes-128-pad [ XMLENC11 ] 
2001/04/xmlenc#kw-aes192 [ XMLENC11 ] 
2009/xmlenc11#kw-aes-192-pad [ XMLENC11 ] 
2001/04/xmlenc#kw-aes256 [ XMLENC11 ] 
2009/xmlenc11#kw-aes-256-pad [ XMLENC11 ] 
2001/04/xmldsig-more#kw-camellia128 Zhe 3 


2001/04/xmldsig-more#kw-camellia192 2.6.3 
2001/04/xmldsig-more#kw-camellia256 2 Oo 
2007/05/xmldsig-morefkw-seed128 2.6.6 
2007/05/xmldsig-more#md2-rsa-MGF1 2.3.10 
2001/04/xmldsig-more#md5 eel 
2007/05/xmldsig-more#md5-rsa-MGF1 2.3.10 
2007/05/xmldsig-more#MGF1 2.3.9 


2009/xmlenc114fmgf1shal 

2009/xmlenc11£fmgf1sha224 
2009/xmlenc11#mgf1sha256 
2009/xmlenc11£fmgf1sha384 
2009/xmlenc11#mgf1sha512 [ XMLENC11 ] 
2000/09/xmldsig#MgmtData [XMLDSIG11] 
2000/09/xmldsigŵfminimal Dae 


[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 


2009/xmlenc11#pbkdf2 [ XMLENC11 ] 
2000/09/xmldsig#PGPData [XMLDSIG11] 
2001/04/xmldsig-morefPKCS7signedData Shel 
2001/04/xmldsig-morefPKCS7signedData 2 
2021/04/xmldsig-morefpoly1305 DE phe 
2001/04/xmldsig-more#psec-kem 2.6. 


2001/04/xmldsig-more#rawPGPKeyPacket 2 
2001/04/xmldsig-morefrawPKCS7signedData 3.2 


2001/04/xmldsig-morefrawSPKISexp Shey 
2000/09/xmldsigfrawX509Certificate [RFC3275] 
2001/04/xmldsig-morefrawX509CRL BED, 


2001/04/xmldsig-morefRetrievalMethod G2 
2007/05/xmldsig-morefripemd128-rsa-MGF1 
2.3.10 
2001/04/xmlencfripemd160 [XMLENC11] 
2007/05/xmldsig-morefripemd160-rsa-MGF1 
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rsa-1_5 
rsa-md5 
rsa-oaep 
rsa-oaep-mgf1p 
rsa-pss 
rsa-ripemd160 
rsa-shal 
rsa-sha224 
rsa-sha224 
rsa-sha256 
rsa-sha384 
rsa-sha512 
rsa-whirlpool 
rsaes-kem 
RSAKeyValue 


seed128-cbc 

sha1 
sha1-rsa-MGF1 
sha224 
sha224-rsa-MGF1 
sha256 
sha256-rsa-MGF1 
sha3-224 
sha3-224-rsa-MGF1 
sha3-256 
sha3-256-rsa-MGF1 
sha3-384 
sha3-384-rsa-MGF1 
sha3-512 
sha3-512-rsa-MGF1 
sha384 
sha384-rsa-MGF1 
sha512 
sha512-rsa-MGF1 
siphash-2-4 
SPKIData 


tripledes-cbc 


whirlpool 
whirlpool-rsa-MGF1 


WithComments 
WithComments 


WithComments 


x25519 
x448 
X509Data 


xmss-sha2-10-192 
xmss-sha2-10-256 
xmss-sha2-10-512 
xmss-sha2-16-192 
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2.3.10 
2001/04/xmlenc#rsa-1_5 [XMLENC11] 
2001/04/xmldsig-more#rsa-md5 2S eal 
2009/xmlenc11#rsa-oaep [ XMLENC11 ] 
2001/04/xmlencfrsa-oaep-mgf1p [XMLENC11] 
2007/05/xmldsig-morefrsa-pss Pee a) 
2001/04/xmldsig-morefrsa-ripemd160 273.5 
2000/09/xmldsig#rsa-sha1 [RFC3275] 
2007/05/xmldsig-morefrsa-sha224 {Bad} 2.3.11 
2001/04/xmldsig-more#rsa-sha224 2559 lil 
2001/04/xmldsig-morefrsa-sha256 PEERY od 
2001/04/xmldsig-more#rsa-sha384 2a 3723) 
2001/04/xmldsig-more#rsa-sha512 2.374 
2007/05/xmldsig-more#rsa-whirlpool DE SRS) 
2018/xmlsec-ghc#rsaes-kem [GENERIC ] 
2000/09/xmldsigfRSAKeyValue [XMLDSIG11] 
2007/05/xmldsig-morefseed128-cbc 2.6.5 
2000/09/xmldsigŵfsha1 [RFC3275] 
2007/05/xmldsig-morefsha1-rsa-MGF1 2.3.10 
2001/04/xmldsig-morefsha224 Qed 
2007/05/xmldsig-morefsha224-rsa-MGF1 2.3.10 
2001/04/xmlenc#sha256 [ XMLENC11 ] 


2007/05/xmldsig-more#sha256-rsa-MGF1 2.3.10 


2007/05/xmldsig-more#sha3-224 25 
2007/05/xmldsig-morefsha3-224-rsa-MGF1 2.3.10 
2007/05/xmldsig-more#sha3-256 Pees) 
2007/05/xmldsig-more#sha3-256-rsa-MGF1 2.3.10 
2007/05/xmldsig-more#sha3-384 2 ISO 
2007/05/xmldsig-morefsha3-384-rsa-MGF1 2.3.10 
2007/05/xmldsig-more#sha3-512 25 
2007/05/xmldsig-more#sha3-512-rsa-MGF1 2.3.10 
2001/04/xmldsig-morefsha384 2o 
2007/05/xmldsig-morefsha384-rsa-MGF1 2.3.10 
2001/04/xmlenc#sha512 [ XMLENC11 ] 
2007/05/xmldsig-morefsha512-rsa-MGF1 2.3.10 
2021/04/xmldsig-morefsiphash-2-4 21275 
2000/09/xmldsig#SPKIData [XMLDSIG11] 
2001/04/xmlenc#tripledes-cbc [XMLENC11] 
2007/05/xmldsig-morefwhirlpool 2A; 
2007/05/xmldsig-morefwhirlpool-rsa-MGF1 
2.3.10 

2006/12/xmlc14n11#WithComments [CANON11] 
TR/2001/06/xml-exc-c14nfWithComments 

[ XCANON ] 
TR/2001/REC-xml-c14n-20010315#WithComments 

[CANON10] 
2021/04/xmldsig-more#x25519 2i 
2021/04/xmldsig-morefx448 2 
2000/09/xmldsigfX509Data [XMLDSIG11] 


2021/04/xmldsig-morefxmss-sha2-10-192 2.2.6 
2021/04/xmldsig-morefxmss-sha2-10-256 2.2.6 
2021/04/xmldsig-morefxmss-sha2-10-512 2.2.6 
2021/04/xmldsig-morefxmss-sha2-16-192 2.2.6 
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xmss-sha2-16-256 2021/04/xmldsig-morefxmss-sha2-16-256 
xmss-sha2-16-512 2021/04/xmldsig-morefxmss-sha2-16-512 
xmss-sha2-20-192 2021/04/xmldsig-morefxmss-sha2-20-192 
xmss-sha2-20-256 2021/04/xmldsig-morefxmss-sha2-20-256 
xmss-sha2-20-512 2021/04/xmldsig-morefxmss-sha2-20-512 
xmss-shake-10-256 2021/04/xmldsig-morefxmss-shake-10-256 
xmss-shake-10-512 2021/04/xmldsig-morefxmss-shake-10-512 
xmss-shake-16-256 2021/04/xmldsig-morefxmss-shake-16-256 
xmss-shake-16-512 2021/04/xmldsig-morefxmss-shake-16-512 
xmss-shake-20-256 2021/04/xmldsig-morefxmss-shake-20-256 
xmss-shake-20-512 2021/04/xmldsig-morefxmss-shake-20-512 
xmss-shake256-10-192 2021/04/xmldsig-morefxmss-shake256-10- 192 


DININ O SEIN) 
NVNUNNNNNNNNN 
DDADANADAANAAAOAO 


xmss-shake256-10-256 Dn Seri eee ee 
xmss-shake256-16-192 MY ERE EST Cee 
xmss-shake256-16-256 I EE oe 
xmss-shake256-20-192 SOON ED WU Gain Tae Se CUAL 
xmss-shake256-20-256 FE RETIREES Pe ner O 
xmssmt-sha2-20-2-192 FN ee eee eer re or 
xmssmt-sha2-20-2-256 AF AT E A 
xmssmt-sha2-20-2-256 A E nee rein bs 
xmssmt-sha2-20-4-192 A ner ee tL 
xmssmt-sha2-20-4-256 Y Y 
xmssmt-sha2-20-4-256 Y o 
xmssmt-sha2-40-2-192 AM Eee eC eee oe 
xmssmt-sha2-40-2-256 Y TT Ree 
xmssmt-sha2-40-2-256 WT HD Ce 
xmssmt-sha2-40-4-192 AREY EERIE See ae rer 
xmssmt-sha2-40-4-256 I E eee ea 
xmssmt-sha2-40-4-256 TW en Vector ere 
xmssmt-sha2-40-8-192 ROY i eee T 
xmssmt-sha2-40-8-256 YW Y ee 
xmssmt-sha2-40-8-256 ME ere aT eee er eee al 
xmssmt-sha2-60-3-192 EEC er eee eee ee 
xmssmt-sha2-60-3-256 2021/04/xmldsig-nore#xnssmt-sha2-60-3-256 . 


xmssmt-sha2-60-3-256 2021/04/xmldsig-morefxmssmt-sha2-60-3-512 
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xmssmt-sha2-60-12-192 
xmssmt-sha2-60-12-256 
xmssmt-sha2-60-12-256 
xmssmt-shake-20-2-256 
xmssmt-shake-20-2-512 
xmssmt-shake-20-4-256 
xmssmt-shake-20-4-512 
xmssmt-shake-40-2-256 
xmssmt-shake-40-2-512 
xmssmt-shake-40-4-256 
xmssmt-shake-40-4-512 
xmssmt-shake-40-8-256 
xmssmt-shake-40-8-512 
xmssmt-shake-60-3-256 
xmssmt-shake-60-3-512 
xmssmt-shake-60-6-256 


xmssmt-shake-60-6-512 
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xmssmt-sha2-60-6-192 WD EAGT SE ea 
xmssmt-sha2-60-6-256 ND E eer res 
xmssmt-sha2-60-6-256 Sen VC ea re ee 
SPS WELT ys Rai cre See ee EO 
A re eee eee 
a eo 
Y eens eee ee 
Di A A ae 
YW onere een net ee geaioee 
HEE SON He Ret eines ee SE 
WI RET OTC PE 
a 
A ey Serres eee 
STV TET ra ees toes War eer REECE 
SO oa aac E emaaaci oer 
WY Y RS La 
I mE eater ee 
WG E T a eee 
A Y a S 
2021 /04/xm1dsig-more#xmssmt-shake-60-6-912 


xmssmt-shake-60-12-256 2021/04/xmldsig-more#xmssmt-shake-20-12-256 


xmssmt-shake-60-12-512 2021/04/xmldsig-more#xmssmt-shake-20-12-512 


DDO 


2 DO 


xmssmt-shake256-20-2-192 
2021/04/xmldsig-morefxmssmt-shake256-20-2-192 2.2.6 
xmssmt-shake256-20-2-256 
2021/04/xmldsig-morefxmssmt-shake256-20-2-256 2.2.6 
xmssmt-shake256-20-4-192 
2021/04/xmldsig-morefxmssmt-shake256-20-4-192 2.2.6 
xmssmt-shake256-20-4-256 
2021/04/xmldsig-morefxmssmt-shake256-20-4-256 2.2.6 
xmssmt-shake256-40-2-192 
2021/04/xmldsig-morefxmssmt-shake256-40-2-192 2.2.6 
xmssmt-shake256-40-2-256 
2021/04/xmldsig-morefxmssmt-shake256-40-2-256 2.2.6 
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xmssmt-shake256-40-4-192 
2021/04/xmldsig-morefxmssmt-shake256-40-4-192 2.2.6 
xmssmt-shake256-40-4-256 
2021/04/xmldsig-morefxmssmt-shake256-40-4-256 2.2.6 
xmssmt-shake256-40-8-192 
2021/04/xmldsig-morefxmssmt-shake256-40-8-192 2.2.6 
xmssmt-shake256-40-8-256 
2021/04/xmldsig-morefxmssmt-shake256-40-8-256 2.2.6 
xmssmt-shake256-60-3-192 
2021/04/xmldsig-morefxmssmt-shake256-60-3-192 2.2.6 
xmssmt-shake256-60-3-256 
2021/04/xmldsig-morefxmssmt-shake256-60-3-256 2.2.6 
xmssmt-shake256-60-6-192 
2021/04/xmldsig-morefxmssmt-shake256-60-6-192 2.2.6 
xmssmt-shake256-60-6-256 
2021/04/xmldsig-morefxmssmt-shake256-60-6-256 2.2.6 
xmssmt-shake256-60-12-192 
2021/04/xmldsig-morefxmssmt-shake256-60-12-192 2.2.6 
xmssmt-shake256-60-12-256 
2021/04/xmldsig-morefxmssmt-shake256-60-12-256 2.2.6 


2001/04/xmldsig-morefxptr 


Fragment URI 


The initial "http: //www.w3.org/" part of the URI is not included above. 


4.2. Index by URI 


The initial "http://www.w3.org/" part of the URI is not included below. "(Bad)" indicates a Bad 
value that was accidentally included in [RFC6931]. Implementations SHOULD only generate the 
correct URI but SHOULD understand both the correct and erroneous URI. See also Appendix B. 
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URI 


2000/09/xmldsigfbase64 
2000/09/xmldsigfDSAKeyValue 
2000/09/xmldsigfdsa-sha1 
2000/09/xmldsigfenveloped-signature 
2000/09/xmldsigfhmac-shal1 
2000/09/xmldsigfMgmtData 
2000/09/xmldsigŵfminimal 
2000/09/xmldsigfPGPData 
2000/09/xmldsigfrawX509Certificate 
2000/09/xmldsigfrsa-shal1 
2000/09/xmldsigfRSAKeyValue 
2000/09/xmldsigsfsha1 
2000/09/xmldsig#SPKIData 
2000/09/xmldsig#X509Data 


2001/04/xmldsig-morefarcfour 
2001/04/xmldsig-morefcamellia128-cbc 
2001/04/xmldsig-morefcamellia192-cbc 
2001/04/xmldsig-morefcamellia256-cbc 
2001/04/xmldsig-morefecdsa-sha1 
2001/04/xmldsig-morefecdsa-sha224 
2001/04/xmldsig-morefecdsa-sha256 
2001/04/xmldsig-morefecdsa-sha384 
2001/04/xmldsig-morefecdsa-sha512 
2001/04/xmldsig-morefesign-sha1 
2001/04/xmldsig-morefesign-sha224 
2001/04/xmldsig-morefesign-sha256 
2001/04/xmldsig-morefesign-sha384 
2001/04/xmldsig-morefesign-sha512 
2001/04/xmldsig-more#hmac-md5 
2001/04/xmldsig-more#hmac-ripemd16@ 
2001/04/xmldsig-more#hmac-sha224 
2001/04/xmldsig-more#hmac-sha256 
2001/04/xmldsig-more#hmac-sha384 
2001/04/xmldsig-more#hmac-sha512 
2001/04/xmldsig-more#KeyName 
2001/04/xmldsig-more#KeyValue 
2001/04/xmldsig-more#kw-camellia128 
2001/04/xmldsig-more#kw-camellia192 
2001/04/xmldsig-more#kw-camellia256 
2001/04/xmldsig-more#md5 
2001/04/xmldsig-morefPKCS7signedData 
2001/04/xmldsig-morefpsec-kem 
2001/04/xmldsig-morefrawPGPKeyPacket 
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[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 
2.4 
[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 
[RFC3275] 


NNNNWANNNNNADADAANNDNE — 


SDO NA SM DROS NHS NO NHS ESBS DS ISDS DS DON NUS DEBI HAIN) 
A= WWW 


VAN ADDANNNNNNNN WWWWWWWWWWADAD 


2001/04/xmldsig-morefrawPKCS7signedData 3. 2 


2001/04/xmldsig-morefrawSPKISexp 
2001/04/xmldsig-morefrawX509CRL 
2001/04/xmldsig-morefRetrievalMethod 
2001/04/xmldsig-morefrsa-md5 
2001/04/xmldsig-morefrsa-sha224 
2001/04/xmldsig-morefrsa-sha256 
2001/04/xmldsig-morefrsa-sha384 
2001/04/xmldsig-morefrsa-sha512 
2001/04/xmldsig-morefrsa-ripemd160 
2001/04/xmldsig-morefsha224 
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2001/04/xmldsig-morefsha384 
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2001/04/xmldsig-morefPKCS7signedData 


2001/04/xmlencfaes128-cbc 
2001/04/xmlencfaes192-cbc 
2001/04/xmlencfaes256-cbc 
2001/04/xmlenc#dh 
2001/04/xmlenc#kw-aes128 
2001 /04/xmlenc#kw-aes192 
2001/04/xmlenc#kw-aes256 
2001/04/xmlencífripemd160 
2001/04/xmlenc#rsa-1_5 
2001/04/xmlencfrsa-oaep-mgf1p 
2001/04/xmlencfsha256 
2001/04/xmlencfsha512 
2001/04/xmlencíftripledes-cbc 


2002/06/xmldsig-filter2 


2002/07/decrypt#XML 
2002/07/decrypt#Binary 


2006/12/xmlc12n11# {Bad} 
2006/12/xmlc14n11# 


2006/12/xmlc14n11#WithComments 


2007/05/xmldsig-morefecdsa-ripemd160 
2007/05/xmldsig-morefecdsa-whirlpool 
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2o | 
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[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 
[ XMLENC11 ] 


[XPATH] 


[DECRYPT] 
[DECRYPT] 


[CANON11] 
[CANON11] 
[CANON11] 


2007/05/xmldsig-morefkw-seed128 
2007/05/xmldsig-more#md2-rsa-MGF1 
2007/05/xmldsig-more#md5-rsa-MGF1 


2007/05/xmldsig-more#MGF1 


2007/05/xmldsig-morefripemd128-rsa-MGF1 2. 3. 10 
2007/05/xmldsig-morefripemd160-rsa-MGF1 2.3.10 
2007/05/xmldsig-morefrsa-pss 
2007/05/xmldsig-morefrsa-sha224 {Bad} 
2007/05/xmldsig-morefrsa-whirlpool 
2007/05/xmldsig-morefseed128-cbc 
2007/05/xmldsig-morefsha1-rsa-MGF1 
2007/05/xmldsig-morefsha224-rsa-MGF1 
2007/05/xmldsig-morefsha256-rsa-MGF1 
2007/05/xmldsig-more#sha3-224 
2007/05/xmldsig-more#sha3-224-rsa-MGF1 
2007/05/xmldsig-more#sha3-256 
2007/05/xmldsig-more#sha3-256-rsa-MGF1 
2007/05/xmldsig-more#sha3-384 
2007/05/xmldsig-more#sha3-384-rsa-MGF1 
2007/05/xmldsig-more#sha3-512 
2007/05/xmldsig-more#sha3-512-rsa-MGF1 
2007/05/xmldsig-more#sha384-rsa-MGF1 
2007/05/xmldsig-more#sha512-rsa-MGF1 
2007/05/xmldsig-more#whirlpool .4 
2007/05/xmldsig-morefwhirlpool-rsa-MGF1 2. 310 


DOTS? 
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2009/xmlenc11#kw-aes-128-pad 
2009/xmlenc11#kw-aes-192-pad 
2009/xmlenc11#kw-aes-256-pad 
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2009/xmldsig114fdsa-sha256 
2009/xmldsig11#ECKeyValue 


[XMLDSIG11] 
[XMLDSIG11] 


2009/xmldsig11#DEREncodedKeyValue [XMLDSIG11] 


2009/xmlenc11#aes128-gcm 
2009/xmlenc11#aes192-gcm 
2009/xmlenc11#aes256-gcm 
2009/xmlenc11#ConcatKDF 
2009/xmlenc11#mgf1shal1 
2009/xmlenc11#mgf1sha224 
2009/xmlenc11#mgf1sha256 
2009/xmlenc11#mgf1sha384 
2009/xmlenc11#mgf1sha512 
2009/xmlenc11#pbkdf2 
2009/xmlenc11#rsa-oaep 
2009/xmlenc11#ECDH-ES 
2009/xmlenc11#dh-es 


2010/xmlsec-ghcfgeneric-hybrid 
2010/xmlsec-ghcfrsaes-kem 
2010/xmlsec-ghcfecies-kem 


2021/04/xmldsig-morefchacha20 
2021/04/xmldsig-morefchacha20poly1305 
2021/04/xmldsig-morefecdsa-sha3-224 
2021/04/xmldsig-morefecdsa-sha3-256 
2021/04/xmldsig-morefecdsa-sha3-384 
2021/04/xmldsig-morefecdsa-sha3-512 
2021/04/xmldsig-morefeddsa-ed25519ph 
2021/04/xmldsig-morefeddsa-ed25519ctx 
2021/04/xmldsig-morefeddsa-ed25519 
2021/04/xmldsig-morefeddsa-ed448 
2021/04/xmldsig-morefeddsa-ed448ph 
2021/04/xmldsig-more#hkdf 
2021/04/xmldsig-morefpoly305 
2021/04/xmldsig-morefsiphash-2-4 
2021/04/xmldsig-more#x25519 
2021/04/xmldsig-morefx448 


2021/04/xmldsig-morefxmss-sha2-10-192 
2021/04/xmldsig-morefxmss-sha2-10-256 
2021/04/xmldsig-morefxmss-sha2-10-512 
2021/04/xmldsig-morefxmss-sha2-16-192 
2021/04/xmldsig-morefxmss-sha2-16-256 
2021/04/xmldsig-morefxmss-sha2-16-512 
2021/04/xmldsig-morefxmss-sha2-20-192 
2021/04/xmldsig-morefxmss-sha2-20-256 
2021/04/xmldsig-morefxmss-sha2-20-512 
2021/04/xmldsig-morefxmss-shake-10-256 
2021/04/xmldsig-morefxmss-shake-10-512 
2021/04/xmldsig-morefxmss-shake-16-256 
2021/04/xmldsig-morefxmss-shake-16-512 
2021/04/xmldsig-morefxmss-shake-20-256 
2021/04/xmldsig-morefxmss-shake-20-512 


NNNNN- 
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2021/04/xmldsig-morefxmss-shake256-10-192 
2021/04/xmldsig-morefxmss-shake256-10-256 
2021/04/xmldsig-morefxmss-shake256-16-192 
2021/04/xmldsig-morefxmss-shake256-16-256 
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2021/04/xmldsig-morefxmss-shake256-20-192 
2021/04/xmldsig-morefxmss-shake256-20-256 


NN 
NN 


2021/04/xmldsig-more#xmssmt-sha2-20-2-192 
2021/04/xmldsig-more#xmssmt-sha2-20-2-256 
2021/04/xmldsig-more#xmssmt-sha2-20-2-512 
2021/04/xmldsig-more#xmssmt-sha2-20-4-192 
2021/04/xmldsig-more#xmssmt-sha2-20-4-256 
2021/04/xmldsig-more#xmssmt-sha2-20-4-512 
2021/04/xmldsig-more#xmssmt-sha2-40-2-192 
2021/04/xmldsig-more#xmssmt-sha2-40-2-256 
2021/04/xmldsig-more#xmssmt-sha2-40-2-512 
2021/04/xmldsig-more#xmssmt-sha2-40-4-192 
2021/04/xmldsig-more#xmssmt-sha2-40-4-256 
2021/04/xmldsig-more#xmssmt-sha2-40-4-512 
2021/04/xmldsig-more#xmssmt-sha2-40-8-192 
2021/04/xmldsig-more#xmssmt-sha2-40-8-256 
2021/04/xmldsig-more#xmssmt-sha2-40-8-512 
2021/04/xmldsig-more#xmssmt-sha2-60-3-192 
2021/04/xmldsig-more#xmssmt-sha2-60-3-256 
2021/04/xmldsig-more#xmssmt-sha2-60-3-512 
2021/04/xmldsig-more#xmssmt-sha2-60-6-192 
2021/04/xmldsig-more#xmssmt-sha2-60-6-256 
2021/04/xmldsig-more#xmssmt-sha2-60-6-512 
2021/04/xmldsig-more#xmssmt-sha2-60-12-192 
2021/04/xmldsig-more#xmssmt-sha2-60-12-256 
2021/04/xmldsig-more#xmssmt-sha2-60-12-512 


NNNNNNNNNNNNNNNNNNNNN 
NNNNNNNNNNNNNNNNNNNNN 


NNN 


2021/04/xmldsig-morefxmssmt-shake-20-2-256 
2021/04/xmldsig-morefxmssmt-shake-20-2-512 
2021/04/xmldsig-morefxmssmt-shake-20-4-256 
2021/04/xmldsig-morefxmssmt-shake-20-4-512 
2021/04/xmldsig-morefxmssmt-shake-40-2-256 
2021/04/xmldsig-morefxmssmt-shake-40-2-512 
2021/04/xmldsig-morefxmssmt-shake-40-4-256 
2021/04/xmldsig-morefxmssmt-shake-40-4-512 
2021/04/xmldsig-morefxmssmt-shake-40-8-256 
2021/04/xmldsig-morefxmssmt-shake-40-8-512 
2021/04/xmldsig-morefxmssmt-shake-60-3-256 
2021/04/xmldsig-morefxmssmt-shake-60-3-512 
2021/04/xmldsig-morefxmssmt-shake-60-6-256 
2021/04/xmldsig-morefxmssmt-shake-60-6-512 
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20246 SignatureMethod 
2021/04/xmldsig-more#xmssmt-shake256-40-4-256 

2r 2m6 SignatureMethod 
2021/04/xmldsig-more#xmssmt-shake256-40-8-192 

22 SignatureMethod 
2021/04/xmldsig-morefxmssmt-shake256-40-8-256 

272.6 SignatureMethod 
2021/04/xmldsig-more#xmssmt-shake256-60-3-192 

2:20 SignatureMethod 
2021/04/xmldsig-morefxmssmt-shake256-60-3-256 

2D O SignatureMethod 
2021/04/xmldsig-morefxmssmt-shake256-60-6-192 

BLA CG) SignatureMethod 
2021/04/xmldsig-morefxmssmt-shake256-60-6-256 

226 SignatureMethod 
2021/04/xmldsig-morefxmssmt-shake256-60-12-192 

22226 SignatureMethod 
2021/04/xmldsig-morefxmssmt-shake256-60-12-256 

2 2 SignatureMethod 


TR/1999/REC-xpath-19991116 [XPATH] Transform 
TR/1999/REC-xslt-19991116 [XSLT] Transform 
TR/2001/06/xml-exc-c14nf [ XCANON] Canonicalization 
TR/2001/06/xml-exc-c14n#WithComments [XCANON] Canonicalization 
TR/2001/REC-xml-c14n-20010315 [CANON10] Canonicalization 
TR/2001/REC-xml-c14n-200103158WithComments 

[CANON10] Canonicalization 
TR/2001/REC-xmlschema-1-20010502 [ SCHEMA ] Transform 

URI Sec/Doc Type 


The initial "http://www.w3.org/" part of the URI is not included above. "{Bad}" indicates a Bad 
value that was accidentally included in [RFC6931]. Implementations SHOULD only generate the 
correct URI but SHOULD understand both the correct and erroneous URI. See also Appendix B. 


5. Allocation Considerations 


W3C and JANA allocation considerations are given below. 


5.1. W3C Allocation Considerations 


As it is easy for people to construct their own unique URIs [RFC3986] and, if appropriate, to obtain 
a URI from the W3C, additional URI specification under the following XMLSEC URI prefixes is 
prohibited as shown: 


URI Status 
http://www.w3.org/2000/09/xmldsig# Frozen by W3C. 


http://www.w3.org/2001/04/xmldsig-more# Frozen with RFC 4051. 
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URI Status 


http://www.w3.org/2007/05/xmldsig-more# Frozen with [RFC6931]. 
Table 2 


The WSC has assigned <http://www.w3.org/2021/04/xmldsig-more#> for additional new URIs 
specified in this document. 


There are also occurrences in this document of <http://www.w3.org/2010/xmlsec-ghc#> due to the 
inclusion of some algorithms from [GENERIC] for convenience. 


An "xmldsig-more" URI does not imply any official W3C or IETF status for these algorithms or 
identifiers nor does it imply that they are only useful in digital signatures. Currently, 
dereferencing such URIs may or may not produce a temporary placeholder document. 
Permission to use these URI prefixes has been given by the W3C. 


5.2. IANA Considerations 


IANA has established a registry entitled "XML Security URIs". The contents have been updated to 
correspond to Section 4.2 of this document with each section number in the "Sec/Doc" column 
augmented with a reference to this RFC (for example, "2.6.4" means "[RFC9231], Section 2.6.4"). All 
references to [RFC6931] in that registry have been updated to RFC 9231. 


New entries, including new Types, will be added based on Specification Required [RFC8126]. 
Criteria for the designated expert for inclusion are (1) documentation sufficient for 
interoperability of the algorithm or data type and the XML syntax for its representation and use 
and (2) sufficient importance as normally indicated by inclusion in (2a) an approved W3C Note, 
Proposed Recommendation, or Recommendation, or (2b) an approved RFC. 


Typically, the registry will reference a W3C or IETF document specifying such XML syntax; that 
document will either contain a more detailed description of the algorithm or data type or 
reference another document with a more detailed description. 


6. Security Considerations 


This RFC is concerned with documenting the URIs that designate algorithms and some data types 
used in connection with XML security. The security considerations vary widely with the particular 
algorithms, and the general security considerations for XML security are outside of the scope of 
this document but appear in [XMLDSIG11], [KMLENC11], [CANON10], [CANON11], and [GENERIC]. 


[RFC6151] should be consulted before considering the use of MD5 as a DigestMethod or the use of 
HMAC-MDS5 or RSA-MD5 as a SignatureMethod. 


See [RFC6194] for SHA-1 security considerations. 


Additional security considerations are given in connection with the description of some 
algorithms in the body of this document. 
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Implementers should be aware that cryptographic algorithms become weaker with time. As new 
cryptoanalysis techniques are developed and computing performance improves, the work factor 
to break a particular cryptographic algorithm will decrease. Therefore, cryptographic 
implementations should be modular, allowing new algorithms to be readily inserted. That is, 
implementers should be prepared for the set of mandatory-to-implement algorithms for any 
particular use to change over time. This is sometimes referred to as "algorithm agility" [RFC7696]. 
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Appendix A. Changes from RFC 6931 


The following changes have been made in [RFC6931] to produce this document. 


e Deleted Appendix on Changes from RFC 4051, since they were already included in [RFC6931], 
and remove reference to RFC 4051 and to the one Errata against RFC 4051. 

e Fixed three errata as follows: [Err3597], [Err3965], and [Err4004]. In cases where [RFC6931] 
had an erroneous URI, it is still included in the indices and it is stated that implementations 
SHOULD only generate the correct URI but SHOULD understand both the correct and 
erroneous URI. 


e Added the following algorithms: 


Section Algorithm(s) 


22A Poly1305 
EA SipHash-2-4 
22:6 XMSS and XMSSMT 
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Section Algorithm(s) 


2.3.6 ECDSA with SHA3 
2312 Edwards-Curve Signatures 
26.7 ChaCha20 
2.6.8 ChaCha20+Poly1305 
271 X25519 
2.81 HKDF 
Table 3 


e Listed ECIES-KEM and RSAES-KEM in Section 2.6.4 so they are easier to find even though the 
URI for them is specified in [GENERIC]. 


e Updated references for [GENERIC] and FIPS 186, added appropriate references. 
e Added some XML examples. 

e Fixed minor typos and added editorial changes. 

* Anumber of acronyms were added to Section 1.2. 


Appendix B. Bad URIs 


[RFC6931] included two bad URIs as shown below. "{Bad}" in the indexes (Sections 4.1 and 4.2) 
indicates such a bad value. Implementations SHOULD only generate the correct URI but SHOULD 
understand both the correct and erroneous URI. 


2006/12/xmlc12n11# 


Appears in the indices (Sections 4.1 and 4.2 of [RFC6931]) when it should be "2006/12/ 
xmlc14n11#" (i.e., the "12" inside "xmlc12n11" should have been "14"). This is [Err3965] and is 
corrected in this document. 


2007/05/xmldsig-more#rsa-sha224 


Appears in the indices (Sections 4.1 and 4.2 of [RFC6931]) when it should be "2001/04/xmldsig- 
more#rsa-sha224". This is [Err4004] and is corrected in this document. 
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